Skip to content

G0053 FIN5

FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. 1 2 3

Item Value
ID G0053
Associated Names
Version 1.2
Created 16 January 2018
Last Modified 16 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1119 Automated Collection FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.2
enterprise T1110 Brute Force FIN5 has has used the tool GET2 Penetrator to look for remote login and hard-coded credentials.32
enterprise T1059 Command and Scripting Interpreter FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.2
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.2
enterprise T1133 External Remote Services FIN5 has used legitimate VPN, Citrix, or VNC credentials to maintain access to a victim environment.132
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs FIN5 has cleared event logs from victims.2
enterprise T1070.004 File Deletion FIN5 uses SDelete to clean up the environment and attempt to prevent detection.2
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool FIN5 has obtained and used a customized version of PsExec, as well as use other tools such as pwdump, SDelete, and Windows Credential Editor.2
enterprise T1090 Proxy -
enterprise T1090.002 External Proxy FIN5 maintains access to victim environments by using FLIPSIDE to create a proxy for a backup RDP tunnel.2
enterprise T1018 Remote System Discovery FIN5 has used the open source tool Essential NetTools to map the network and build a list of targets.2
enterprise T1078 Valid Accounts FIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment.132

Software

ID Name References Techniques
S0173 FLIPSIDE 2 Protocol Tunneling
S0029 PsExec FIN5 uses a customized version of PsExec.2 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0006 pwdump 2 Security Account Manager:OS Credential Dumping
S0169 RawPOS 32 Archive via Custom Method:Archive Collected Data Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Masquerade Task or Service:Masquerading
S0195 SDelete 2 Data Destruction File Deletion:Indicator Removal
S0005 Windows Credential Editor 32 LSASS Memory:OS Credential Dumping

References

  1. Scavella, T. and Rifki, A. (2017, July 20). Are you Ready to Respond? (Webinar). Retrieved October 4, 2017. 

  2. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017. 

  3. Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017.